19-Jul-2021 17:49
Hello
When my VS is invoked from Cloudflare, the header contains two ip addresses. I have identified that the first ip address of the header corresponds to the user that connects and the second ip address correspond to Cloudflare
¿Is it possible to insert only the ip address of the connecting user and remove the ip address from Cloudflare?
19-Jul-2021 22:25
Hi satyr,
Cloudflare has another header you could use, see the article for True-Client-IP header:
Understanding the True-Client-IP Header
Enable this header and try to update your iRule like this:
when HTTP_REQUEST {
HTTP::header insert X-Forwarded-For [HTTP::header value "True-Client-IP"]
}
Let us know if this has solved your issue.
KR
Daniel
20-Jul-2021 09:03
Hello Daniel
Thanks for read my question
Let me do the test and I would confirm if the result was successful
21-Jul-2021 16:44
Hello Daniel
The problem persists, 2 ip's are seen and the page does not load at the application level
22-Jul-2021 04:28
Is there another device involved that could modify the X-Forwarded-For header? Either between Cloudflare and BIG-IP or BIG-IP and application server?
KR
Daniel
19-Jul-2021 22:32
Does your application traffic flow is like given below ? -
Client --> CloudFlare --> F5 vServer --> Backend servers
If yes, then xff settings enabled under http profile mapped on the vServer is adding CF IP in the header. The original client IP in the header is added by CF itself. In this case, disabling xff settings under F5 http profile should help you. But this change/setting will be applicable for all the application urls which are on that vServer.
22-Jul-2021 11:00
Hello Daniel
In this moment the traffic flow is: Cloudflare-->F5 Virtual Server--> Backend Servers
In the backend servers (httpd.conf archive), I have the following line to capture the remote ip address
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" common
SetEnvIf X-Forwarded-For "^.\..\..\.." forwarded
22-Jul-2021 13:07
Hallo Satyr,
you should add a log statement to the iRule or do a tcpdump in order to monitor whether the True-Client-IP Header contains two IP addresses or if the second IP is added by something else to the XFF header.
KR
Daniel